| V-65271 | | The DataPower Gateway providing content filtering must protect against known and unknown types of Denial of Service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds). | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.
Installation of content filtering gat... |
| V-64979 | | The DataPower Gateway must enforce approved authorizations for logical access to information and system resources by employing identity-based, role-based, and/or attribute-based security policies. | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access contro... |
| V-65191 | | The DataPower Gateway must enforce approved authorizations for controlling the flow of information within the network based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network. The flow of all network traffic must be monitored and cont... |
| V-65193 | | The DataPower Gateway must restrict or block harmful or suspicious communications traffic by controlling the flow of information between interconnected networks based on attribute- and content-based inspection of the source, destination, headers, and/or content of the communications traffic. | Information flow control regulates where information is allowed to travel within a network and between interconnected networks. Blocking or restrictin... |
| V-65195 | | The DataPower Gateway providing user access control intermediary services must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the network. | Display of a standardized and approved use notification before granting access to the network ensures privacy and security notification verbiage used ... |
| V-65197 | | The DataPower Gateway providing user access control intermediary services must retain the Standard Mandatory DoD-approved Notice and Consent Banner on the screen until users acknowledge the usage conditions and take explicit actions to log on for further access. | The banner must be acknowledged by the user prior to allowing the user access to the network. This provides assurance that the user has seen the messa... |
| V-65199 | | The DataPower Gateway providing user access control intermediary services for publicly accessible applications must display the Standard Mandatory DoD-approved Notice and Consent Banner before granting access to the system. | Display of a standardized and approved use notification before granting access to the publicly accessible network element ensures privacy and security... |
| V-65201 | | The DataPower Gateway providing intermediary services for remote access communications traffic must use encryption services that implement NIST FIPS-validated cryptography to protect the confidentiality of remote access sessions. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-65203 | | The DataPower Gateway that stores secret or private keys must use FIPS-approved key management technology and processes in the production and control of private/secret cryptographic keys. | Private key data is used to prove that the entity presenting a public key certificate is the certificate's rightful owner. Compromise of private key d... |
| V-65205 | | The DataPower Gateway that provides intermediary services for TLS must be configured to comply with the required TLS settings in NIST SP 800-52. | SP 800-52 provides guidance on using the most secure version and configuration of the TLS/SSL protocol. Using older unauthorized versions or incorrect... |
| V-65207 | | The DataPower Gateway providing intermediary services for remote access communications traffic must use NIST FIPS-validated cryptography to protect the integrity of remote access sessions. | Without cryptographic integrity protections, information can be altered by unauthorized users without detection.
Remote access is access to DoD-nonpu... |
| V-65209 | | The DataPower Gateway must send an alert to, at a minimum, the ISSO and SCA when an audit processing failure occurs. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-65211 | | The DataPower Gateway must protect audit information from unauthorized read access. | Auditing and logging are key components of any security architecture. Logging the actions of specific events provides a means to investigate an attack... |
| V-65213 | | The DataPower Gateway must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-65215 | | The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users). | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-65217 | | The DataPower Gateway providing user access control intermediary services must be configured with a pre-established trust relationship and mechanisms with appropriate authorities (e.g., Active Directory or AAA server) which validate user account access authorizations and privileges. | User account and privilege validation must be centralized in order to prevent unauthorized access using changed or revoked privileges.
ALGs can imple... |
| V-65219 | | The DataPower Gateway providing user authentication intermediary services must restrict user authentication traffic to specific authentication server(s). | User authentication can be used as part of the policy filtering rule sets. Some URLs or network resources can be restricted to authenticated users onl... |
| V-65221 | | The DataPower Gateway providing user authentication intermediary services must use multifactor authentication for network access to non-privileged accounts. | To assure accountability and prevent unauthenticated access, non-privileged users must utilize multifactor authentication to prevent potential misuse ... |
| V-65223 | | The DataPower Gateway providing user authentication intermediary services must implement replay-resistant authentication mechanisms for network access to non-privileged accounts. | A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the applicati... |
| V-65225 | | The DataPower Gateway that provides intermediary services for TLS must validate certificates used for TLS functions by performing RFC 5280-compliant certification path validation. | A certificate's certification path is the path from the end entity certificate to a trusted root certification authority (CA). Certification path vali... |
| V-65227 | | The DataPower Gateway providing PKI-based user authentication intermediary services must map authenticated identities to the user account. | Authorization for access to any network element requires an approved and assigned individual account identifier. To ensure only the assigned individua... |
| V-65229 | | The DataPower Gateway providing user authentication intermediary services must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | Lack of authentication enables anyone to gain access to the network or possibly a network element that provides opportunity for intruders to compromis... |
| V-65231 | | The DataPower Gateway providing content filtering must not have a front side handler configured facing an internal network. | DoS attacks can take multiple forms but have the common objective of overloading or blocking a network or host to deny or seriously degrade performanc... |
| V-65233 | | The DataPower Gateway must protect the authenticity of communications sessions. | Authenticity protection provides protection against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.
... |
| V-65235 | | The DataPower Gateway must invalidate session identifiers upon user logout or other session termination. | Captured sessions can be reused in "replay" attacks. This requirement limits the ability of adversaries from capturing and continuing to employ previo... |
| V-65237 | | The DataPower Gateway must recognize only system-generated session identifiers. | Network elements (depending on function) utilize sessions and session identifiers to control application behavior and user access. If an attacker can ... |
| V-65239 | | In the event of a system failure of the DataPower Gateway function, the DataPower Gateway must save diagnostic information, log system messages, and load the most current security policies, rules, and signatures when restarted. | Failure in a secure state can address safety or security in accordance with the mission needs of the organization. Failure to a secure state helps pre... |
| V-65241 | | The DataPower Gateway must have ICMP responses disabled on all interfaces facing untrusted networks. | Providing too much information in error messages risks compromising the data and security of the application and system. Organizations carefully consi... |
| V-65243 | | To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-65245 | | To protect against data mining, the DataPower Gateway providing content filtering must prevent code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-65247 | | To protect against data mining, the DataPower Gateway providing content filtering must prevent SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to prevent attacks launche... |
| V-65249 | | To protect against data mining, the DataPower Gateway providing content filtering must detect code injection attacks from being launched against data storage objects, including, at a minimum, databases, database records, queries, and fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-65251 | | To protect against data mining, the DataPower Gateway providing content filtering must detect SQL injection attacks launched against data storage objects, including, at a minimum, databases, database records, and database fields. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-65253 | | To protect against data mining, the DataPower Gateway providing content filtering as part of its intermediary services must detect code injection attacks launched against application objects including, at a minimum, application URLs and application code. | Data mining is the analysis of large quantities of data to discover patterns and is used in intelligence gathering. Failure to detect attacks launched... |
| V-65255 | | The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to select a user session to capture or view. | Without the capability to select a user session to capture or view, investigations into suspicious or harmful events would be hampered by the volume o... |
| V-65257 | | The DataPower Gateway must be configured to support centralized management and configuration. | Without the ability to centrally manage the content captured in the audit records, identification, troubleshooting, and correlation of suspicious beha... |
| V-65259 | | The DataPower Gateway must off-load audit records onto a centralized log server. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-65261 | | The DataPower Gateway must provide an immediate real-time alert to, at a minimum, the SCA and ISSO, of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. | Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely aff... |
| V-65263 | | The DataPower Gateway must prohibit the use of cached authenticators after an organization-defined time period. | If the cached authenticator information is out of date, the validity of the authentication information may be questionable.
This requirement applies ... |
| V-65265 | | The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. | Without configuring a local cache of revocation data, there is the potential to allow access to users who are no longer authorized (users with revoked... |
| V-65267 | | The DataPower Gateway providing user authentication intermediary services must conform to FICAM-issued profiles. | Without conforming to Federal Identity, Credential, and Access Management (FICAM)-issued profiles, the information system may not be interoperable wit... |
| V-65269 | | The DataPower Gateway providing user authentication intermediary services using PKI-based user authentication must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of protected sessions. | Non-DoD approved PKIs have not been evaluated to ensure that they have security controls and identity vetting procedures in place which are sufficient... |
| V-65273 | | The DataPower Gateway must implement load balancing to limit the effects of known and unknown types of Denial of Service (DoS) attacks. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users. Load balancing provides service redund... |
| V-65275 | | The DataPower Gateway providing content filtering must protect against known types of Denial of Service (DoS) attacks by employing signatures. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.
Installation of content filtering ga... |
| V-65277 | | The DataPower Gateway providing content filtering must protect against or limit the effects of known and unknown types of Denial of Service (DoS) attacks by employing pattern recognition pre-processors. | If the network does not provide safeguards against DoS attacks, network resources will be unavailable to users.
Installation of content filtering gat... |
| V-65279 | | The DataPower Gateway must only allow incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations. | Unrestricted traffic may contain malicious traffic which poses a threat to an enclave or to other connected networks. Additionally, unrestricted traff... |
| V-65281 | | The DataPower Gateway must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. | A common vulnerability of network elements is unpredictable behavior when invalid inputs are received. This requirement guards against adverse or unin... |
| V-65285 | | The DataPower Gateway providing content filtering must generate a log record when unauthorized network services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore may be unreliable or serve as malicious rogue... |
| V-65287 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when unauthorized network services are detected. | Unauthorized or unapproved network services lack organizational verification or validation and therefore, may be unreliable or serve as malicious rogu... |
| V-65289 | | The DataPower Gateway providing content filtering must continuously monitor inbound communications traffic crossing internal security boundaries for unusual or unauthorized activities or conditions. | If inbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traff... |
| V-65291 | | The DataPower Gateway providing content filtering must continuously monitor outbound communications traffic crossing internal security boundaries for unusual/unauthorized activities or conditions. | If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traf... |
| V-65293 | | The DataPower Gateway providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65295 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when threats identified by authoritative sources (e.g., IAVMs or CTOs) are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65297 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when root level intrusion events which provide unauthorized privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65299 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when user level intrusions which provide non-privileged access are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65301 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when denial of service incidents are detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65303 | | The DataPower Gateway providing content filtering must generate an alert to, at a minimum, the ISSO and ISSM when new active propagation of malware infecting
DoD systems or malicious code adversely affecting the operations and/or security
of DoD systems is detected. | Without an alert, security personnel may be unaware of major detection incidents that require immediate action and this delay may result in the loss o... |
| V-65305 | | The DataPower Gateway providing user access control intermediary services must provide the capability for authorized users to capture, record, and log all content related to a selected user session. | Without the capability to capture, record, and log content related to a user session, investigations into suspicious user activity would be hampered.
... |
| V-65307 | | The DataPower Gateway must check the validity of all data inputs except those specifically identified by the organization. | Invalid user input occurs when a user inserts data or characters into an application's data entry fields and the application is unprepared to process ... |
| V-65309 | | The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography to generate cryptographic hashes. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-65311 | | The DataPower Gateway providing encryption intermediary services must implement NIST FIPS-validated cryptography for digital signatures. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-65313 | | The DataPower Gateway providing encryption intermediary services must use NIST FIPS-validated cryptography to implement encryption services. | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The network element must implement cryp... |
| V-65317 | | The DataPower Gateway must not use 0.0.0.0 as a listening IP address for any service. | Using 0.0.0.0 as a listening address allows all interfaces to receive traffic for the service. This creates an unnecessary exposure when services are ... |
| V-65283 | | The DataPower Gateway providing content filtering must be configured to integrate with a system-wide intrusion detection system. | Without coordinated reporting between separate devices, it is not possible to identify the true scale and possible target of an attack.
Integration o... |
| V-65315 | | The DataPower Gateway must off-load audit records onto a centralized log server in real time. | Off-loading ensures audit information does not get overwritten if the limited audit storage capacity is reached and also protects the audit record in ... |
